1. Release Notes for Unbreakable Enterprise Kernel Release 6 Update 3
  2. New Features and Changes

1 New Features and Changes

Unbreakable Enterprise Kernel Release 6 (UEK R6) is a heavily tested and optimized operating system kernel for Oracle Linux 7.7, and later; and Oracle Linux 8.1, and later. The kernel is developed, built, and tested on the 64-bit Arm (aarch64), Intel 64-bit (x86_64), and AMD 64-bit (x86_64) platforms. The kernel is based on the mainline Linux kernel version 5.4. This release also includes updated drivers, as well as bug and security fixes.

Oracle actively monitors upstream check-ins and applies critical bug and security fixes to UEK R6.

UEK R6U3 uses the 5.4.17-2136 version and build of the UEK R6 kernel, which includes security and bug fixes, as well as driver updates.

UEK R6 uses the same versioning model as the mainline Linux kernel version. It is possible that some applications might not understand the 5.4 versioning scheme. However, regular Linux applications are usually neither aware of nor affected by Linux kernel version numbers.

UEK R6 maintains compatibility with the Red Hat Compatible Kernel (RHCK) and does not disable any features that are enabled in RHCK. Additional features are enabled to provide support for key functional requirements and patches are applied to improve performance and optimize the kernel for use on Oracle operating environments.

The kernel's source code is available through a public git source code repository at https://github.com/oracle/linux-uek.

Notable Features and Changes

The following are the major new features and changes that are included in Unbreakable Enterprise Kernel Release 6 Update 3 (UEK R6U3).

Core Kernel Functionality

UEK R6U3 provides core kernel functionality that is equivalent to UEK R6, but is updated to the upstream mainline kernel v5.4.83 release tag and includes upstream LTS bug fixes, with additional patches to enhance existing functionality and provide minor bug fixes and security improvements. All of the key changes are specific to the functionality that is required for Oracle Database and other Oracle software.

WireGuard Communication Protocol

The WireGuard communication protocol uses encrypted virtual private networks (VPNs) by passing traffic over the User Datagram Protocol (UDP).

Note:

WireGuard, which has been enabled in UEK R6 as a technology preview feature since UEK R6U1, is fully supported in UEK R6U3.

WireGuard is a secure, easy-to-use, and faster replacement for the legacy IPsec and OpenVPN tunneling protocols. The feature uses proven cryptography protocols and algorithms to protect data. Although IPsec remains the standard for secure network communication, WireGuard is simpler to configure and deploy. By comparison, its configuration is likened to setting up SSH. These are some of the reasons that administrators are choosing to build new networks with the more modern cryptography that WireGuard uses.

WireGuard uses public key encryption for identification and encryption, while OpenVPN uses certificates for these tasks. With WireGuard, secure key generation and management is handled in the background.

WireGuard uses a server/client mode for its configuration and deployment. Note that you can configure and deploy WireGuard on both IPv4 and IPv6 networks.

To configure and deploy WireGuard, the wireguard-tools package must be installed on the server and client systems, which enables communication between both hosts.

You can verify that the wireguard-tools package is installed by using the following command: 

$ rpm -qa | grep wireguard

You can verify that the wireguard kernel module is present on the system by using the following command: 

$ modinfo wireguard

For more information and step-by-step instructions, see Oracle Linux: Configuring Virtual Private Networks.

vmemmap Reduction Capability for HugeTLB Pages Added

This release includes an enhancement that frees some vmemmap pages (pages of struct page structures) that are associated with each hugetlbpage. By removing redundant page structs for HugeTLB pages, memory can be returned to the buddy allocator for other uses.

To enable this feature, boot the system by using the hugetlb_free_vmemmap=on option. When enabled, messages similar to the following are displayed during boot: 

HugeTLB: can free 4094 vmemmap pages for hugepages-1048576kB
HugeTLB: can free 6 vmemmap pages for hugepages-2048kB

io_uring Asynchronous I/O Framework

Further integration of the io_uring Asynchronous I/O (AIO) framework has taken place in this release. io_uring is a Linux kernel interface that provides submission and completion queue rings, which are then shared between the kernel and user space to avoid copies.

In addition to the more established features that have been added to the io_uring framework in this release, UEK R6U3 also includes the new polled I/O mode (IORING_SETUP_IOPOLL) feature, which provides the following functionality:

  • Standard file control operations: FALLOCATE, OPENAT2, STATX, MADVISE, FADVISE, and TEE.

  • Operations on sockets: ACCEPT, CONNECT, SEND(2) and RECV(2) messages, and EPOLL_CTL.

  • Capability for sharing of io-wq workqueue (IORING_SETUP_ATTACH_WQ) from another ring.

  • Addition of the IORING_REGISTER_PROBE call for probing and receiving information about supported features from the io_uring framework in the kernel.

  • Inclusion of the SPLICE(2) call.

  • Inclusion of the IORING_REGISTER_RESTRICTIONS call, which enables the application to grant access to its file descriptors by untrusted applications or guests.

  • IORING_OP_PROVIDE_BUFFERS call, which uses the buffer registration infrastructure to enable the passing of an addr/len that is associated with a buffer ID and a buffer group ID.

  • IORING_BUFFER_SELECT support for the vectored read calls, RING_OP_READV and IORING_OP_READVMSG.

kabi_whitelist Package Renamed kabi_stablelist

The kabi_whitelist package has been renamed kabi_stablelist. This change was made in accordance with Oracle's commitment to replace problematic and potentially offensive language.

Note:

A similar renaming has already taken place in the Oracle Linux 8 release.

Nested Virtualization on the AMD Platform

Capability for nested virtualization on the AMD 64-bit (x86_64) platform is enhanced in this release through the implementation of an extensive number of stability fixes.

NVMe Improvements

To accommodate NVMe standards changes, and as the technology continues to evolve and change, ongoing improvements are being made to the Non-Volatile Memory Express (NVMe) feature. Compared to legacy protocols, NVMe provides advanced capability for accessing high-speed storage media.

Along with several bug fixes, this release introduces the NVMe Target Passthru feature. The Target Passthru feature enables you to export an entire NVMe controller through the NVM Express over Fabrics (NVMe-oF) specification. When exported in this manner, versus exporting each namespace as a block device, all NVMe commands are passed to the given controller unmodified, including both administrative commands and Vendor Unique Commands (VUCs). A passthru target exposes all of the namespaces for a given device to the remote host.

New RDMAIP Tracepoints Introduced

In previous releases, the resilient_rdmaip kernel module used the trace_printk() function directly for debugging its infrastructure, which resulted in a banner warning about trace_printk() and memory usage that was not relevant to the resilient_rdmaip kernel module.

UEK R6U3 introduces new tracepoints that replace the use of trace_printk() for debugging the resilient_rdmaip kernel module's infrastructure.

Each of the following new tracepoints correspond to the three debug levels that are supported by resilient RDMA debug messages:

  • trace_rdma_debug_l1

  • trace_rdma_debug_l2

  • trace_rdma_debug_l3

Secure Boot Enhancement

In this release, Secure Boot has been modified to additionally check the platform keyring, which includes the Machine Owner Key (MOK) list. This enhancement enables third-party and custom key signed modules to be loaded whenever Secure Boot is enabled.

vDPA Implementation on Mellanox ConnectX-6Dx for Oracle Linux

The Virtual Data Path Acceleration (vDPA) framework on the Mellanox ConnectX-6Dx network adapter is improved in this release. The vDPA framework supports emerging technologies such as Single Root I/O Virtualization (SR-IOV) Virtual Function and Mellanox SubFunction, by providing an abstraction and translation layer on top. vDPA uses the Virtio ring layout and places a single, standard Virtio driver in the guest, which is decoupled from the vendor implementation.

In UEK R6U3, notable vDPA improvements include the vDPA management tool API for orchestration and configuration, vDPA SubFunction (SF) support for bypassing the PCIe specification's imposed limit on the number of virtual functions (VFs) per physical function (PF) that can be created, and Mellanox mlx5_vdpa driver support for doorbell mapping.

vhost and vhost-scsi Performance Improvements

Some performance improvements related to block storage for the vhost and vhost-scsi modules are introduced in this release. In particular, kernel improvements were made to boost IOPS (input/output operations per second) for a vhost SCSI device over dm-multipath.

In addition, an improvement was made to enable Qemu to create multiple vhost worker threads and map them to different guest SCSI device virtqueues.

Integrity Measurement Architecture Default Policy

The Integrity Measurement Architecture (IMA) subsystem, which has been present in the Linux kernel since the upstream 2.6.30 release, maintains a list of hashes of sensitive files on a system. This information can prevent the loading of files or binaries that do not match these hashes. The IMA feature helps maintain system integrity and also can be used to prevent modifications to system critical files. A default IMA policy is set in UEK R6U3 and is also backported in an errata update for UEK R6U2. The updated policy can be reviewed in /sys/kernel/security/ima/policy: 

measure func=KEXEC_KERNEL_CHECK
measure func=MODULE_CHECK

The default policy measures the kexec image and all kernel module binaries. Note that although this default policy enables the measurement of these items, it does not define any appraisal policy.

Technology Preview Features

Several features are under investigation and ongoing development for release within UEK R6. The following features are available in UEK R6U3 as a technology preview.

  • Core scheduling

    The core scheduling feature that is enabled in the kernel limits trusted tasks to running concurrently on CPU cores that share compute resources. This feature mitigates against certain categories of 'core shared cache' processor bugs that could cause data leakage and other related vulnerabilities. Core scheduling has been enabled in UEK R6 as a technology preview feature since UEK R6U1. This feature is under ongoing, active development.

  • NFS v4.2 server-side copy

    NFS v4.2 server-side copy (SSC) functionality is backported from the upstream kernel and has been available in UEK R6 as a technology preview since UEK R6U1. The server-side copy feature provides mechanisms that enable an NFS client to copy file data on a server, or between two servers, without it being transmitted back and forth over the network through the NFS client.

Deprecated Features

The following features are deprecated in this UEK R6 release.

oracleasm Kernel Module Deprecated

The oracleasm kernel module is deprecated in this release. Note that although the module continues to be supported in UEK R6U3, it may be removed in a future UEK release.

DRBD Deprecated

The DRBD (Distributed Replicated Block Device) kernel module, and the associated drbd-utils package, is deprecated with UEK R6U3. The DRBD kernel module was introduced as a technology preview in UEK R4 and continues to be enabled in UEK R5 and UEK R6. However, this module and the drbd-utils package may be removed in a future UEK release.

Cisco fnic 1.6 driver Unsupported

Cisco no longer supports the Cisco FCoE HBA Driver (fnic 1.6) that is sourced from the upstream kernel and which is available in most kernels, including UEK R5, UEK R6, and UEK R7. Cisco provides a fully supported UCS Linux driver (version 2.0.0.83, and later) that is tested on and compatible with Oracle Linux, with UEK R5 and later UEK releases, on the Cisco software download page. The driver package includes features that are not available in the currently included driver module such as NVMe support and multi-queue support.

Customers who are running Oracle Linux on Cisco servers must install the Cisco driver package to receive driver fixes, driver updates, new hardware support, and new feature support. Contact Cisco for more information about driver solutions on Oracle Linux.

Driver Updates

The Unbreakable Enterprise Kernel Release 6 supports a large number of hardware devices. In close cooperation with hardware and storage vendors, Oracle has updated several device drivers from the versions in mainline Linux 5.4.

A complete list of the driver modules included in UEK R6, along with version information is provided in the appendix at Driver Modules in Unbreakable Enterprise Kernel Release 6 (x86_64).

The following new features are noted in the drivers that are shipped with UEK R6U3:

  • Broadcom BCM573xx network driver

    The Broadcom BCM573xx network driver, bnxt_en, is updated to version 1.10.2 in this release. A large number of upstream and vendor supplied patches are included to resolve various bugs and to provide newer features and updates. Notably, PTP functionality is enabled and several improvements for RoCE have been included.

  • Cisco FCoE HBA driver

    The Cisco FCoE HBA driver, fnic, is updated to version 1.6.0.53 in this release. Several upstream patches are included to resolve various bugs.

    See Cisco fnic 1.6 driver Unsupported.

  • Intel Ethernet Connection E800 Series Linux driver

    The Intel Ethernet Connection E800 Series Linux driver, ice, continues to report as version 0.8.2-k in this release, but includes a large number of vendor supplied patches. This driver is tested against the latest 25 GbE and 100GbE E810 network interface cards.

  • Broadcom Emulex LightPulse Fibre Channel SCSI driver

    The Broadcom Emulex LightPulse Fibre Channel SCSI driver, lpfc, is updated to version 12.8.0.10, with vendor supplied patches and bug fixes. Several patch updates were additionally applied to the NVMe Fibre Channel transport driver, nvme-fc for improved functionality and to resolve issues identified by the vendor.

  • Microsoft Azure Network Adapter driver

    The Microsoft Azure Network Adapter driver, mana, is included in this release. Upstream and vendor supplied patches are included and the driver is intended for use on Oracle Linux 8.

  • MPI3 Storage Controller device driver

    The MPI3 Storage Controller device driver, mpi3mr, is included in this release at version 00.255.45.01. Upstream and vendor supplied patches are included and the driver is intended to support the next generation of 96XX HBA and RAID controller devices from Broadcom.

  • QLogic FastLinQ 4xxxx Core module

    The QLogic FastLinQ 4xxxx Core module, qed, is updated to version 8.37.0.20 and includes many additional vendor supplied patches, including patches for version 8.42.2.0 firmware.

  • QLogic FastLinQ 4xxxx Ethernet driver

    The QLogic FastLinQ 4xxxx Ethernet driver, qede, is updated to version 8.37.0.20 and includes additional vendor supplied patches.

  • QLogic FastLinQ 4xxxx FCoE module

    The QLogic FastLinQ 4xxxx FCoE module, qedf, is updated to version 8.42.3.0 and includes vendor supplied patches to update this driver in line with upstream changes.

  • QLogic FastLinQ 4xxxx iSCSI module

    The QLogic FastLinQ 4xxxx iSCSI module, qedi, is updated to version 8.37.0.20 and includes vendor supplied patches to update this driver in line with upstream changes.

  • QLogic Fibre Channel HBA driver

    The QLogic Fibre Channel HBA driver, qla2xxx, is updated to version 10.02.00.106-k and includes several vendor supplied patches.

  • Microsemi Smart Family Controller driver

    The Microsemi Smart Family Controller driver, smartpqi, is updated to version 2.1.8-045 and includes several upstream patches.

  • pvpanic driver

    The pvpanic driver, used to trigger events within libvirtd in the event that a guest virtual machine encounters a kernel panic, is updated to include a PCI component to enable this functionality on Arm (aarch64) platforms. Previously, the driver only functioned as an ISA bus device, which limited its use to x86 platforms.

Compatibility

Oracle Linux maintains full user space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that is running underneath the operating system. Existing applications in user space continue to run unmodified on the Unbreakable Enterprise Kernel Release 6 and no re-certifications are needed for RHEL certified applications.

To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R6 remains unchanged in all subsequent updates to the initial release. In this release, there are changes to the kernel ABI relative to UEK R5 that require recompilation of third-party kernel modules on the system. Before installing UEK R6, verify its support status with your application vendor.

Notable changes in kernel headers

Upstream changes to kernel headers may mean that third party modules do not compile across different kernel versions without modification to source code. Notably, the memcg_cache_params structure has been moved from include/linux/slab.h to mm/slab.h. This means that code needs to be refactored to account for the change if you are compiling across kernel versions.

To solve this problem, so that the code can compile for both UEK R5 and UEK R6, change header requirements in the source code. For example, change lines like those in the following example to what is shown in the second example: 

#ifdef CONFIG_SLUB
#include <linux/slub_def.h>
#endif
#if ( LINUX_VERSION_CODE < KERNEL_VERSION(5,4,0) )

#ifdef CONFIG_SLUB
#include <linux/slub_def.h>
#endif

#endif

Certification of UEK R6 for Oracle products

Note that the certification of different Oracle products on UEK R6 may not be immediately available at the time of a UEK R6 release. You should always check to ensure that the product you are using is certified for use on UEK R6 before upgrading or installing the kernel. Check certification at https://support.oracle.com/epmos/faces/CertifyHome.

Oracle Automatic Storage Management Cluster File System (Oracle ACFS) certification for different kernel versions is described in Document ID 1369107.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=1369107.1.

Oracle Automatic Storage Management Filter Driver (Oracle ASMFD) certification for different kernel versions is described in Document ID 2034681.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2034681.1.